Merge pull request #735 from nsacyber/v3_issue_719-aca_service

Adds a his-aca service to Linux packaging scripts

HIRS_AttestationCAPortal/build.gradle

@@ -130,8 +130,9 @@ ospackage {
 
     // Uninstall
     preUninstall 'bash /opt/hirs/aca/scripts/aca/aca_remove_setup.sh'
+    preUninstall 'bash /opt/hirs/aca/scripts/systemd/aca_disable_service.sh'
     postUninstall 'if [ -d /etc/hirs ]; then rm -rf /etc/hirs; fi;'
-    
+
     buildRpm {
         dependsOn  ':HIRS_AttestationCAPortal:buildVersion'
         dependsOn  ':HIRS_AttestationCAPortal:bootWar'
@@ -147,9 +148,10 @@ ospackage {
         postTrans 'firewall-cmd --add-port=8443/tcp --permanent'
         postTrans 'firewall-cmd --reload'
         postTrans 'bash /opt/hirs/aca/scripts/aca/aca_setup.sh -u'
-        postTrans 'bash /opt/hirs/aca/scripts/aca/aca_bootRun.sh -w &'
+        postTrans 'bash /opt/hirs/aca/scripts/systemd/aca_enable_service.sh'
+     // postTrans 'bash /opt/hirs/aca/scripts/aca/aca_bootRun.sh -w &'
         // add chrontab to run ACA at boot
-        postTrans 'echo "@reboot root /opt/hirs/aca/scripts/aca/aca_bootRun.sh -w" >> /etc/crontab'
+        //postTrans 'echo "@reboot root /opt/hirs/aca/scripts/aca/aca_bootRun.sh -w" >> /etc/crontab'
         postTrans 'chmod +x /opt/hirs/aca/scripts/aca/*'
         postTrans 'if [ -f /opt/hirs/aca/VERSION ]; then rm /opt/hirs/aca/VERSION; fi;'
         // Wait for ACA to start up before finishing the install
@@ -166,7 +168,8 @@ ospackage {
         requires('curl')
         // Install after required packages
         postInstall 'bash /opt/hirs/aca/scripts/aca/aca_setup.sh -u'
-        postInstall '/opt/hirs/aca/scripts/aca/aca_bootRun.sh -w &'
+        //postInstall '/opt/hirs/aca/scripts/aca/aca_bootRun.sh -w &'
+        postInstall 'bash /opt/hirs/aca/scripts/systemd/aca_enable_service.sh'
         postInstall 'echo "@reboot root /opt/hirs/aca/scripts/aca/aca_bootRun.sh -w" >> /etc/crontab'
         postInstall 'chmod +x /opt/hirs/aca/scripts/aca/*'
         postInstall 'if [ -f /opt/hirs/aca/VERSION ]; then rm /opt/hirs/aca/VERSION; fi;'

package/linux/aca/aca_bootRun.sh

@@ -132,5 +132,6 @@ if [ -z "$USE_WAR" ]; then
 else
   echo "Booting the ACA from a war file..."
  # java -jar $WAR_PATH $CONNECTOR_PARAMS$WEB_TLS_PARAMS &
-java -jar  $WAR_PATH --spring.config.location=$SPRING_PROP_FILE & disown -h
+java -jar  $WAR_PATH --spring.config.location=$SPRING_PROP_FILE &
+exit 0
 fi

package/linux/aca/aca_check_setup.sh

@@ -92,13 +92,13 @@ echo "Checking HIRS ACA Setup on this device..."
   fi
   if [ $? -eq 0 ]; then
       echo "HIRS ACA was installed via an OS package on this device"
-      if [[ $(cat /etc/crontab | grep -c hirs/aca) > 0 ]]; then 
-           echo "  HIRS ACA is set to start on boot via crontab file"
+      systemctl is-active --quiet hirs-aca
+      if [[ $? -eq 0 ]]; then
+        echo "    The hirs-aca service is active"
         else
-           echo "  HIRS ACA is NOT set to start on boot via crontab file"
+        echo "    Error: ACA package install but the hirs-aca service is dead"
+        ALL_CHECKS_PASSED=false
       fi
-    else
-      echo "HIRS ACA was NOT installed via an OS package on this device" 
   fi
 
 check_systemd -p
@@ -221,7 +221,7 @@ check_pki () {
     if [ $ALL_CERTS_PASSED == true ]; then
          echo "   All RSA and ECC certificates under $CERT_PATH are valid"
       else
-         echo "   There were error in the certificates under $CERT_PATH"
+         echo "   Error: There were error in the certificates under $CERT_PATH"
     fi
        keytool -list -keystore  /etc/hirs/certificates/HIRS/TrustStore.jks  -storepass $hirs_pki_password | grep hirs | sed -e 's/^/     /' > /dev/null
     else  #verbose
@@ -244,15 +244,16 @@ check_db () {
   if [ "$RESULT" == "YES" ]; then
       echo "   Mysql Server side TLS is enabled:"
     else
-      echo "   Mysql Server side TLS is NOT enabled:"
+      echo "   Error: Mysql Server side TLS is NOT enabled:"
       ALL_CHECKS_PASSED=false
   fi
   
+  
   RESULT=$(mysqlshow --user=hirs_db --password=$hirs_db_password hirs_db|  grep -o hirs_db)
   if [ "$RESULT" == "hirs_db" ]; then
       echo "   The hirs_db database is visable by the hirs_db user"
     else
-      echo "   The hirs_db database is NOT visable by the hirs_db user"
+      echo "   Error: The hirs_db database is NOT visable by the hirs_db user"
       ALL_CHECKS_PASSED=false
   fi
    if [ ! -z "${ARG_VERBOSE}" ]; then
@@ -263,6 +264,8 @@ check_db () {
     --ssl-key=/etc/hirs/certificates/HIRS/rsa_3k_sha384_certs/HIRS_db_client_rsa_3k_sha384.key
     echo "Mysql TLS configuration"
     mysql -u root --password=$mysql_admin_password -e "SHOW VARIABLES LIKE '%ssl%'"
+    echo "TLS versions allowed on maraidb:"
+    mysql -u root --password=$mysql_admin_password -e "SHOW GLOBAL VARIABLES LIKE 'tls_version'";
     echo "hirs_db user database access:"
     mysql -u hirs_db --password=$hirs_db_password -e "SHOW DATABASES;";
     echo "Privileges for the hirs_db user:"
@@ -289,7 +292,7 @@ check_selinux () {
        if [[ "$DB_SRV_CONTEXT" == *"mysqld_etc_t"* &&  "$DB_CLIENT_CONTEXT" == *"mysqld_etc_t"* ]]; then
          echo "   Selinux status is $SELINUXSTATUS and both $DB_SRV_CONF and $DB_CLIENT_CONF contexts are correct"
        elif [[ "$DB_CLIENT_CONTEXT" == *"mysqld_etc_t"* ]]; then
-         echo "   Selinux status is $SELINUXSTATUS and $DB_CLIENT_CONF context is incorrect: $DB_CLIENT_CONTEXT"
+         echo "   Error: Selinux status is $SELINUXSTATUS and $DB_CLIENT_CONF context is incorrect: $DB_CLIENT_CONTEXT"
          ALL_CHECKS_PASSED=false
      else
         echo "   Selinux status is $SELINUXSTATUS and $DB_SRV_CONF context is incorrect: $DB_SRV_CONTEXT"

package/linux/aca/aca_setup.sh

@@ -96,9 +96,12 @@ fi
 echo "HIRS ACA Setup initiated on $(date +%Y-%m-%d)" >> "$LOG_FILE"
 
 # Create a version file for bootRun to use
-if  command -v git ; then 
-   jarVersion=$(cat '../../../VERSION').$(date +%s).$(git rev-parse --short  HEAD)
+if command -v git &> /dev/null; then
+   git rev-parse --is-inside-work-tree  &> /dev/null;
+   if [ $? -eq 0 ]; then
+     jarVersion=$(cat '../../../VERSION').$(date +%s).$(git rev-parse --short  HEAD)
    echo $jarVersion > $ACA_VERSION_FILE
+   fi
 fi
 
 # Set HIRS PKI  password

package/linux/aca/aca_stop.sh

@@ -0,0 +1,9 @@
+#!/bin/bash
+#####################################################################################
+#
+# Script to stop the ACA when running
+#
+#####################################################################################
+
+
+kill -15 $(pgrep -f HIRS_AttestationCAPortal)

package/linux/db/db_create.sh

@@ -111,6 +111,11 @@ set_mysql_server_tls () {
     echo "ssl_ca=$SSL_DB_SRV_CHAIN" >> "$DB_SRV_CONF"
     echo "ssl_cert=$SSL_DB_SRV_CERT" >> "$DB_SRV_CONF"
     echo "ssl_key=$SSL_DB_SRV_KEY" >> "$DB_SRV_CONF"
+    # The following arent avialble in Mariadb 10.3
+    #echo "tls_version=TLSv1.2,TLSv1.3" >> "$DB_SRV_CONF"
+    #echo "require_secure_transport=ON" >> "$DB_SRV_CONF"
+    
+    
     # Make sure mysql can access them
     chown mysql:mysql $SSL_DB_SRV_CHAIN $SSL_DB_SRV_CERT $SSL_DB_SRV_KEY
     # Make selinux contexts for config files, if selinux is enabled

package/linux/db/db_drop.sh

@@ -49,10 +49,15 @@ fi
 
 # Remove key , cert and truststore entries from client.cnf andf mariadb.cnf
 
-echo "Removing hirs cert references from mariadb configuration files"
+echo "Removing hirs tls references from mariadb configuration files"
 grep -v "hirs" $DB_SRV_CONF > tmpfile && mv tmpfile $DB_SRV_CONF
+# The following arent avialble in Mariadb 10.3
+#grep -v "tls_version" $DB_SRV_CONF > tmpfile && mv tmpfile $DB_SRV_CONF
+#grep -v "require_secure_transport" $DB_SRV_CONF > tmpfile && mv tmpfile $DB_SRV_CONF
+
 grep -v "hirs" $DB_CLIENT_CONF > tmpfile && mv tmpfile $DB_CLIENT_CONF
 
+
 echo "restarting mariadb"
 
 mysqld_reboot

package/linux/db/mysql_util.sh

@@ -11,9 +11,11 @@ SQL_SERVICE="mariadb"
 # -p to print status
 check_systemd () {
   DB_SERVICE=false
+  SYSD_SERVICE=false
   PRINT_STATUS=$1
   # Check if systemctl is present (not present in a Docker container)
   if [[ $(ps --no-headers -o comm 1) == "systemd" ]]; then
+    SYSD_SERVICE=true
     systemctl is-active --quiet mariadb
     if [[ $? -eq 0 ]]; then
        DB_SERVICE=true

package/linux/pki/pki_setup.sh

@@ -14,7 +14,9 @@ PKI_PASS=$2
 UNATTENDED=$3
 LOG_FILE_NAME="hirs_aca_install_"$(date +%Y-%m-%d).log
 LOG_DIR="/var/log/hirs/"
+HIRS_DIR=/etc/hirs
 HIRS_CONF_DIR=/etc/hirs/aca
+HIRS_CERT_DIR=/etc/hirs/certificates
 # Capture location of the script to allow from invocation from any location 
 SCRIPT_DIR=$( dirname -- "$( readlink -f -- "$0"; )"; )
 
@@ -65,9 +67,21 @@ if [ ! -d "/etc/hirs/certificates" ]; then
     $PKI_SETUP_DIR/pki_chain_gen.sh "HIRS" "ecc" "512" "sha384" "$PKI_PASS" "$LOG_FILE"
   popd &> /dev/null
 
+echo "Setting MYSQL permissions for DB TLS Certs..." | tee -a "$LOG_FILE"
+  find $HIRS_CERT_DIR -type f -iname "*.pem" -exec chmod 600 {} \; 
+  find $HIRS_CERT_DIR -type f -iname "*.jks" -exec chmod 600 {} \; 
+  find $HIRS_CERT_DIR -type f -iname "*.key" -exec chmod 600 {} \;
+  chown root:mysql $HIRS_CERT_DIR $HIRS_CERT_DIR/HIRS $HIRS_CERT_DIR/HIRS/rsa_3k_sha384_certs $HIRS_CERT_DIR/HIRS/ecc_512_sha384_certs
+  chmod 750 $HIRS_CERT_DIR $HIRS_CERT_DIR/HIRS $HIRS_CERT_DIR/HIRS/rsa_3k_sha384_certs $HIRS_CERT_DIR/HIRS/ecc_512_sha384_certs
+  chmod 755 $HIRS_DIR
+  chmod 750 $HIRS_CONF_DIR
+  chmod 755 $HIRS_CERT_DIR/HIRS/ecc_512_sha384_certs/HIRS_ecc_512_sha384_Cert_Chain.pem
+  chmod 755 $HIRS_CERT_DIR/HIRS/rsa_3k_sha384_certs/HIRS_rsa_3k_sha384_Cert_Chain.pem
+  
   echo "hirs_pki_password="$PKI_PASS >>  $ACA_PROP
   echo "server.ssl.key-store-password="$PKI_PASS >> $SPRING_PROP_FILE
   echo "server.ssl.trust-store-password="$PKI_PASS >> $SPRING_PROP_FILE
 else 
   echo "/etc/hirs/certificates exists, skipping" | tee -a "$LOG_FILE"
 fi
+chmod 600 $ACA_PROP

package/linux/systemd/aca_disable_service.sh

@@ -0,0 +1,19 @@
+#!/bin/bash
+#####################################################################################
+#
+# Script to remove the ACA service when running as a service if not running in a container
+#
+#####################################################################################
+
+SCRIPT_DIR=$( dirname -- "$( readlink -f -- "$0"; )"; )
+pushd $SCRIPT_DIR > /dev/null
+source ../db/mysql_util.sh
+
+check_systemd
+ if [ $SYSD_SERVICE = true ]; then
+    systemctl stop hirs-aca
+    systemctl disable hirs-aca.service
+    systemctl reset-failed hirs-aca
+ fi
+
+ popd > /dev/null

package/linux/systemd/aca_enable_service.sh

@@ -0,0 +1,22 @@
+#!/bin/bash
+#####################################################################################
+#
+# Script to add the ACA service when running as a service if not running in a container
+#
+#####################################################################################
+
+SCRIPT_DIR=$( dirname -- "$( readlink -f -- "$0"; )"; )
+pushd $SCRIPT_DIR > /dev/nill
+source ../db/mysql_util.sh
+
+check_systemd
+ if [ $SYSD_SERVICE = true ]; then
+    echo "Starting the ACA as a service..."
+    systemctl enable /opt/hirs/aca/scripts/systemd/hirs-aca.service
+    systemctl start hirs-aca
+ else 
+    echo "Starting the ACA via Springboot..."
+    bash /opt/hirs/aca/scripts/aca/aca_bootRun.sh -w &
+ fi
+
+ popd > /dev/null

package/linux/systemd/hirs-aca.service

@@ -0,0 +1,18 @@
+[Unit]
+Description=Host Integrity at Runtime and Startup (HIRS) Attestation CA service
+After=network.target
+
+[Service]
+User=root
+Group=root
+ExecStart=/usr/bin/bash /opt/hirs/aca/scripts/aca/aca_bootRun.sh -w
+SuccessExitStatus=0
+Restart=always
+RestartSec=60
+Environment="JAVA_HOME=/usr/bin/java"
+
+ExecStop=/usr/bin/bash /opt/hirs/aca/scripts/aca/aca_stop.sh
+Type=forking
+
+[Install]
+WantedBy=multi-user.target